Keycloak: Can I set the idle session timeout per client auth request? - spring-boot

Scenario:
We have our custom IDP(Spring Boot) and 2-3 clients(Spring Boot) in Keycloak. We're letting users authenticate through OIDC flow.
Keycloak SSO Session Idle: 30 Minutes(Default)
Client 1: Session Expiry > 45 Minutes
Client 2: Session Expiry > 15 Minutes
Problem:
When Client 1 gets login their session expiry should be set to 45 minutes, but after 30 minutes idle screen it gets logout
When Client 2 gets login their session expiry should be set to 15 minutes. After 15 minutes client session gets killed from a client app server but it still presents in keycloak. So till 30 minutes session is still present in keycloak. And if we hit URL we get logged in.
Question:
Can we set session expiry as per the client's request? Or in another way can we override keycloak SSO Session Idle through auth request or through API?
We simply want to use the client's session expiry/timeout.

Related

Session Timeout & Sliding Timeout

I am implementing Identityserver where sliding expiration value is set at client side. So is it secure?
Does asp.net session timeout work in similar way? i.e. client side comparison?
Just need theory about whether session timeout is client side thing or server side thing.
What exactly happens when session timeout. Cookie clear or any server value clear?
Sliding expiration means that each time the session is accessed it will reset the timer back to 20 minutes again.
Also, by default sliding expiration is used so you don't need to write any code.
If the user does not access the session for the timeout period then the session will expire. If the user accesses the session at(for instance) 3:01 then the session will expire at 3:21. If the user accesses the session at 3:10 then the session will then expire at 3:30. It is always 20 minutes after the user last accessed the session (that is the meaning of sliding expiration). If the user does not access the session in that 20 minutes then the session will expire.
Hope the answer gets you a glimpse of sliding expiration...

Jhipster session timeout

In my application there is use of Jhipster , Spring Boot , Spring Security , Rest API , Angular js , Spring boot.
I know that we can set session timeout value in yml file.
But what i wanted to understand is how is the time interval calculated in such applications.
Ex: Suppose session timeout= 60 secs.
User logs in and keep the browser idle for 70 seconds. Now after 70 seconds when the user hits some button. A pop is displayed. So I wanted to know where is the calculation for difference in the two rest end points calls is done because after session timeout interval if i hit any api i get session timeout.
The session timeout is computed by the embedded servlet engine (Jetty, Tomcat or Undertow), it keeps a collection of all active sessions and the time of last access.
On first request, a session object is created in server and a session cookie containing its id is sent back in response, server also stores in session object the time of last access.
When your second request is processed, the server extracts the session id from the session cookie then finds session object matching this id and compares current time with last access time.

session time out in SiteMinder

How to get the session timeout in Siteminder.In our application user will access via login to the Site minder. One peculiar problem is that if a user left idle in our application for about 20 minutes then after 20 minutes when he tries to access or do something it will give fatal exceptions
How to get the session time out from Siteminder.I am using Servlet filters for authentication.

Express connect session expiry not working as expected

In a web app am developing using express.js am having a problem expiring sessions when a user has not been active for more than 10 minutes. Am using connect-couchdb as the session store.
I tried setting the req.session.cookie.maxAge = 600000. But this causes the session to expire 10 mins after logging in irrespective of user activity. My understanding of the documentation is that req.session.touch() will be called automatically by the connect middleware and hence maxAge (and the expires date) should get refreshed so it lasts another 10 mins, but it is not happening!!
I also tried setting maxAge to 600000 on each request and calling req.session.save() but even then there is no effect.
What am I doing wrong?
You are not doing anything wrong---this is a bug in Connect. The session cookie gets updated in the server, but not pushed to the client, and so the client keeps trying to use the old cookie, which will expire sooner than you want.
More details and discussion here.

delete cookies on session timeout in java

I am developing a java web application in which I have configured session-timeout to be equal to 4 minutes.This application also uses cookies.
My problem is after 4 minutes of inactivity the HttpSession expires but the cookies remain in the browser (age is set to -1). Is there any way to delete cookies after session timeout?
P.S. setting cookie age equal to 4 minutes wont help.cookies should be deleted after 4 minutes of inactivity .
If you set the cookie age to 4 minutes, and reset the cookie age every time your server sends a response, then the cookie will time out after 4 minutes of inactivity.

Resources